Basic usage

Base syntax

nmap [scan type] [options] {targets}

Target specification

IPv4 address:
IPv6 address: AABB:CCDD:FF%eth0
Host name:
IP address range: 192.168.0-255.0-255
CIDR block:
Input from list of hosts/networks: -iL <filename>

Target ports

-F: scan 100 most popular ports
-p<port1>-<port2>: port range
-p<port1>,<port2>,...: port list
-pU:53,U:110,T20-445: mix TCP and UDP
-r: scan ports consecutively - don't randomize
--top-ports <n>: scan n most popular ports
-p-65535: leaving off initial ports make nmap scan start at port 1
-p0-: leaving off end port makes nmap scan up to port 65535
-p: leaving off start and end port makes nmap scan ports 1-65535

Probing options

-Pn: treat all hosts as online -- skip host discovery
-PB: default probe (TCP 80, 445 & ICMP)
-PS<port list>: check wheter targets are up by probing TCP ports
-PE: use ICMP echo request.
-PP: use ICMP timestamp request.
-PM: use ICMP netmask request.

Scan types

-sn: probe only (host discovery, not port scan)
-sT: TCP connect scan
-sU: UDP scan
-sV: version scan
-O: OS detection
--scanflags: set custom list of TCP using URGACKPSHRSTSYNFIN in asy order.

Timing options

-T0: paranoid scan, a very slow scan (used for IDS evasion)
-T1: sneaky scan, excellent for avoiding firewalls (used for IDS evasion)
-T2: polite scan, unlikely to interfere with the target system (-10 times slower than default)
-T3: normal scan, the default NMAP timing template (based on target responsiveness)
-T4: aggressive scan, provides faster results on LANs (may overwhelm targets)
-T5: insane scan, a fast aggressive scan (will likely overwhelm targets or miss open ports)

Output formats

-oN: standard nmap output
-oG: greppable format
-oX: XML format
-oA <basename>: generate nmap, greppable, and XML output files using basename for files


--script: specify a script to run on the target
-sC: equivalent to --script=default

Misc options

-n/-R: never do DNS resolution/Always resolve [default: sometimes]
-6: use IPv6 only
-A: use several features, includinig OS detection, version detection, script scanning (default), and traceroute.
--reason: display reason nmap thinks port is open, closed, or filtered.
--open: only show open (or possibly open) ports
-v: increase verbosity level (use -vv or more for greater effect)


nmap -sV {target ip}
nmap -sV -sC {target ip}
nmap -sV -sC -Pn {target ip}
nmap -sV --script http-enum -Pn {target ip}
nmap -p 445 --script vuln -Pn {target ip}
nmap -p 445 --script smb-vuln-* -Pn {target ip}
nmap -F -sV -sC -sU -T4 {target ip}
nmap -sV -sC -n --min-rate 1000 -T4 {target ip}
nmap -p- -sS --min-rate 5000 --open -vv -n -Pn {target ip}
# split the scan in two phases
ports=$(nmap -p- --min-rate 1000 -T4 -Pn {target ip} | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sV -sC -Pn {target ip}